Author Archive - Maxim Goncharov (Senior Threat Researcher)

In trying to gauge the impact of the Heartbleed vulnerability, we proceeded to scanning the Top Level Domain (TLD) names of certain countries extracted from the top 1,000,000 domains by Alexa. We then proceeded to separate the sites which use SSL and further categorized those under “vulnerable” or “safe.” The data we were able to gather revealed some interesting findings.

As of the moment, we see an overall percentage of around 5% in terms of sites affected by CVE-2014-0160. The TLDs with the largest percentage of vulnerable sites are .KR and .JP. It’s interesting to note that sites from the .GOV TLD rank fifth on the list.

Figure 1. A breakdown of vulnerable sites per country
(Click image above to enlarge)

On the other hand, we have significantly low number of vulnerable sites under .FR and .IN TLDs. We just think of a few theories why this is so. Maybe they haven’t updated to the version of OpenSSL which was vulnerable. They could also have immediately patched vulnerable sites. Another possible reason is in these countries, relatively few servers use the most recent versions of Linux (and so use older versions of OpenSSL without this vulnerability).

We are going to rescan selected TLDs in a few days to monitor possible changes. In the meantime, we advise website administrators to update OpenSSL to protect their users.

Update as of April 10, 2014, 10:18 A.M. PDT: The title has been edited for clarity.

For other posts discussing the Heartbleed bug, check these other posts:

Recently, I had pleasure to attend the ZeroNights 2012 security conference. ZeroNights 2012 is an international conference that covers the technical side of information security. The main scope of the conference is to distribute information about new attack methods, threats and defense tools.

This year’s conference took place last November 19-20 in Moscow, right in the middle of the city with both the Kremlin and the Moscow River nearby. I had some problems finding the venue as it was a bit hidden and it was rush hour, but I was (almost) on time and only missed the welcome coffee and the keynote.

The conference itself had four tracks, and I have to admit that I was lost at times due to the choices available and had to cast lots to decide which track to go for. I would like to highlight the three presentations that impressed me the most.

One of the main functional components of enterprise applications and Internet portals is an authentication and access control system (AuthC/Z). This presentation described a popular access control system called ForgeRock OpenAM.

During the presentation Andrey and his assistant Georg showed how it is possible to exploit Server Side Request Forgery and Local File Include vulnerabilities on the said access control system. Combining the two above vulnerabilities and an XML external entity vulnerability, they were able to read files and folders on the server side. Combining the 3 techniques, they wrote a simple fuse module to read files remotely. The fuse module cached files, and then with bash commands is easy to “ls” or “cat” or even “find” everything you need on the server side.

Earlier today, we released the paper Russian Underground 101 which provides readers an overview of the Russian underground economy. The Russian underground is a key source for all sorts of illegal products and services used by criminals, which is ultimately aimed at users all over the world.

By exploring underground resources, (visiting various underground forums) we were able to determine the products and services that are most commonly traded for, as well as the prices of these goods. This provides us with a good insight into the Russian underground ecosystem, information which can be used to provide enhanced protection for Trend Micro customers.

A wide variety of goods and services are sold in the Russian underground economy. These include exploit kits (which can cost several thousand dollars for well-known, effective kits), “bullet-proof” web hosting, VPN services, and custom-created malware. Business aspects of the underground (such as the pay-per-install service model), are also included.

On December 6 2011, a number of pro-Kremlin activists launched an attack on Twitter using bots which posted messages with a hashtag #триумфальная (Triumfalnaya). These bots posted a range of national slogans and crude language. With a rate of up to 10 messages per second, these bots succeeded in blocking the actual message feed with that hashtag.

The reason to boycott the conversations surrounding the pre-arranged #триумфалtная (Triumfalnaya) hashtag was that it had been announced as a channel for exchanging information by anti-government opposition protesters, and was also been used as a live text translation on protestor actions against the recent election results in Russia – which are taking place at Triumfalnaya Square in Moscow.

We recently found an interesting post in a Russian underground forum in the course of our research. People exchange information about their illegal activities in these kinds of forum. We found a user in the forum with the handle “sourcec0de” and ICQ number 291149 who currently offers root access to some of the cluster servers of MySQL.com and its subdomains.

The screenshot above shows that the seller appears to have a shell console window with root access to these servers. The price for each access starts at US$3,000 with the exchange of money/access being provided by the well-known garant/escrow system for which a trusted third party verifies both sides of a transaction.

We contacted MySQL.com about this issue last week. We are making this public to stress the fact that hackers do not only profit from selling stolen data or by inserting bad links into spam or phishing email, websites, and other possible infection vectors.

This case, regardless of whether sourcec0de’s claim is true or not, shows just how brazen cybercriminals are, selling administrative access to specific systems, which can be negatively impacted by their break-ins.